Month: November 2016

Dr. Barbara Simons about Internet voting on As It Happens

Carol Off interviewed Barbara Simons on CBC Radio’s As It Happens on November 24, 2016. The segment is about the US recount, but Dr. Simons is asked about Canada:

Carol Off: What concerns should the Canadian government have [about switching to computer/internet based voting]?

Barbara Simons: First of all, the notion that internet voting increases the number of people who vote is not true. The increase is small. It doesn’t even increase participation by young people. On top of that, if you want to have the elections hacked in Canada, the best thing to do is have internet voting — because that makes it really easy to hack them, anywhere. And a nation state has enormous power to do that.

The full transcript is available, scroll to segment “Election Recount”.

For more about Barbara Simons see my list of computer science experts

https://papervotecanada2.wordpress.com/2016/11/19/internet-voting-and-computer-security-expertise/#BarbaraSimons

Previously:
October 2, 2016  ERRE Presentation – Internet Voting: Making Elections Hackable – Dr. Barbara Simons

Province of Nova Scotia Internet voting

(This post is about provincial-level voting, not the municipal elections covered in the Municipal Elections Act.)

The Election Commission of Nova Scotia examined Internet voting in 2013. Their report is available within Elections Nova Scotia: Annual Report of the Chief Electoral Officer April 1, 2012 – March 31, 2013 (PDF) – specifically pp. 14-16 Appendix I: Internet and Telephone Voting in Nova Scotia.

They find:

After considering the literature available, including a careful review of Elections BC’s Discussion Paper on Internet Voting3, the Commission members developed a unanimous position that it is premature to entertain either Internet based or telephone voting options at this time.

3Elections BC – Discussion Paper: Internet Voting (PDF) – August 2011

The NS Commission identified the following questions:

  1. How secure are Internet and telephone-based voting transactions?
  2. Can service availability be guaranteed?
  3. How do you know it is me voting?

Experts warn that currently no transaction using the Internet can be guaranteed to be secure. Despite advances in security, there is still the chance a voter’s identity and voting choice could be exposed, or that someone could vote with someone else’s credentials.
The possibility of collecting family members’ PINs and then voting on their behalf increases significantly in the privacy of one’s own home. At their very best, lists of electors rarely surpass a 95 percent coverage and accuracy level. Under Internet or telephone voting arrangements, the chance of being caught voting on behalf of someone else is minimal.

    1. Is there an audit trail I can follow?

In the existing traditional paper based voting system, …. A record exists of how many people voted and identity information (but not how they voted) exists about each person who cast a ballot at an assigned ballot box. That is the “before state.” Ballots can then be physically verified and recounted by a provincial court judge. The number of ballots counted must correspond exactly to the recorded number of people who voted at that polling station.
Perhaps the largest leap of faith with Internet and telephone voting is the fact that there is no “before state” examinable. While an auditor can easily demonstrate that the number of votes cast equals the number of votes counted, there remains considerable debate whether there is a satisfactory and transparent way to compare how many of those votes were actually cast by electors verified as registered and not having voted before, and whether each vote was accurately recorded by the software used.

  1. Can I watch the count?

The traditional method of voting achieves transparency by having the acts of voting and counting take place in controlled physical locations, where observers representing all interested parties can witness the process and ensure that all required procedures are properly followed.
Technology encases the voting and counting process in a “black box,” which reduces transparency and, potentially, public confidence. …
In addition to the known insecurities, a provincial general election conducted on an Internet platform for web or telephone voting could elicit new levels of unknown threats from hackers seeking to gain a high profile from a successful attack. Consider also that the most serious attacks would likely come from persons or groups motivated to change the outcome without anyone noticing.
With that in mind, the adversaries of an election system would not likely be amateurs n basements but interested groups and individuals with a significant stake in the outcome of an election.

And finally to quote from their Conclusion

Until credible answers to [the questions above] are available, and until functioning, transparent Internet and telephone voting systems have been demonstrated and proven, extreme caution and prudence is required.

Brief submitted to New Brunswick Commission on Electoral Reform – November 2016

I have submitted my brief to the commission, it’s a 16-page document with 31 references cited.

You can find the PDF at

https://drive.google.com/open?id=0B1dTIjUvkfsDbU1pTS1CSXJHTzBuUVpjMXhHS3JUcEp4ZHdB

where you can download by clicking on the down arrow in the upper right of the screen.

Or you can see the embedded version below. NOTE: Due to an quirk of Google, the page numbering in the embedded doc below is off by one. The table of contents has the right numbers, but the bottom right numbering is off by one; page 2 should be page 1.

UPDATE 2017-01-28: The link to the Kitchener report in my document is incorrect, it should be

Gosse, R. (2012, December 10). FCS-12-191 – Alternate Voting – Internet Voting. Retrieved from City of Kitchener – Laserfiche WebLink: https://lf.kitchener.ca/WebLinkExt/DocView.aspx?id=1235356&dbid=0

Previously:
November 20, 2016 New Brunswick electoral reform consultation including Internet voting
October 6, 2016 Brief submitted to [Federal] Special Committee on Electoral Reform – October 2016

Province of Ontario Internet voting

(This post is about provincial-level voting, not the municipal elections covered in the Municipal Elections Act.)

Ontario examined provincial online voting from fall 2010 to fall 2012, with the resulting three years of investigation being published as a report on “alternative voting technologies” in June 2013.  The report is in two parts, consisting of the main report and a separate Appendix 5 which is a 231-page business case about online voting.

The report is currently available on the Elections Ontario page Reports and Publications, under Recommendations

The report concludes that Internet voting, which it calls “network voting”, is not ready for use because it does not meet the necessary requirements and needed level of integrity.

Elections need to be administered with proven, well-tested, and secure processes. Innovations must be tested in a methodical and principled manner, so that the benefits and risks of the innovation can be objectively assessed, without endangering the trust that electors have in the integrity of the process and the validity of the results.

At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.

The report sets out very clear requirements that a voting system needs to meet

Our implementation criteria are:

  • Accessibility:
    The voting process is equally accessible to all eligible voters, including voters with disabilities. The voting process will be performed by the voter without requiring any assistance for making their selections.
  • Individual verifiability:
    The voting process will provide means for the voter to verify that their vote has been properly deposited inside the virtual ballot box.
  • One vote per voter:
    Only one vote per voter is counted for obtaining the election results. This will be fulfilled even in the case where the voter is allowed to cast their vote on multiple occasions (in some systems, people can cast their vote multiple times, with only the last one being counted).
  • Voter authentication and authorization:
    The electoral process will ensure that before allowing a voter to cast a vote, that the identity of the voter is the same as claimed, and that the elector is eligible to vote.
  • Only count votes from valid voters:
    The electoral process shall ensure that the votes used in the counting process are the ones cast by valid eligible voters.
  • Voter privacy:
    The voting process will prevent at any stage of the election the ability to connect a voter and the ballots cast by the voter.
  • Results validation:
    The voting process will provide means for verifying if the results clearly represent the intention of the voters that participated in the voting process.
  • Service availability:
    The election process and any of its critical components (e.g., voters list information, cast votes, voting channel, etc.) will be available as required to voters, election managers, observers or any other actor involved in the process.

This language calls to mind the requirements in the Computer Technologists’ Statement on Internet Voting.

The report identifies a number of risks that are specific to Internet voting, including digital authentication, digital denial of service, and lack of transparency.

When developing our implementation criteria, we ensured that they addressed the following risks and limitations:

  • Security concerns – security breaches that could jeopardize the integrity of the voting process.vi
  • Secure digital authentication mechanisms are not available.vii
  • The possibility of denial of service – whether deliberate or inadvertent.viii
  • Lack of transparency, including for a vote audit or for recount purposes, due to the lack of a paper trail.
  • The digital divide – some electors or subgroups of electors do not have equal access to the internet.
  • Network voting is costly – particularly when supplementing existing voting channels.ix

The end notes are
viFor example, Vaughan, Huntsville, Edmonton. Edmonton recently completed a trial implementation of internet voting, where electors were invited to vote online for their favourite colour of jellybean. On the basis of this trial, a citizen panel recommended to city council that they proceed with plans for internet voting in the upcoming election for the city of Edmonton. However, the city council rejected this recommendation, citing concerns regarding security.
viiFor example, Vaughan; concerns raised by McAfee
viiiVaughan and others citing the denial-of-service experience faced by the NDP during its 2012 leadership election.
ixFor example, Vaughan; U.S. military

See the references mentioned in the end notes below in the copy of Appendix 3: Selected Works Consulted.

The report continues by examining the use of Internet voting in Ontario municipalities.

In 2010, 44 of 444 Ontario municipalities offered network voting for their municipal elections.

Turnout does not increase when online voting is offered.

The academic literature supports Markham’s experience in suggesting that there are inconclusive results about the impact of network voting on voter turnout. Voter turnout is influenced by a number of factors, many which are difficult to quantify. These include, for example, the competitiveness of the election, candidate campaign mobilization efforts, issues at stake, voter fatigue, and the weather, among other elements that may vary from one election to the next in the same jurisdiction.

The technology, introduced with claims of efficiency, sometimes actually introduces delays and increases risk.

…a total of 33 municipalities experienced system delays on election day when servers became overloaded due to hardware problems and higher-than-expected levels of access by election candidates. Electors were delayed in casting their votes during this time. In some cases, voting hours were extended by an hour in order to compensate for the lost time; at least one municipality extended voting for a full day.

The hardware server error experienced by the vendor raises concerns regarding reliance on vendors to provide critical election related services such as election results accumulation and tabulation. An overreliance on vendors and technology can heighten risks to the electoral process if appropriate mitigation strategies are not in place.

When Ontario examined the municipal experience and compared the technology available with the requirements (listed earlier), they concluded

If we return to public expectations that a network voting solution would be more convenient, just as secure and less cumbersome than our current processes, the experiences of many Ontario municipalities indicate that the benefits of network voting may not be as great as predicted.

The report then looks at Nova Scotia

In 2008, four municipalities in Nova Scotia offered internet voting in their municipal elections. By 2012, that number had grown, and 15 municipalities offered internet voting.

and at Alberta

After the City of Edmonton withdrew its support in February 2013, Alberta withdrew its funding for other internet voting pilots and decided not to proceed with a regulatory change that would have permitted pilots in municipal elections.

Ontario’s conclusion based on federal and provincial evidence:

Most jurisdictions have concerns with the security of voting over the internet as technology and legislative frameworks have not yet evolved to fully address integrity concerns.

When examining the US experience, Ontario finds particular importance in independent public audits:

First, we will need to extensively test any proposed solution to ensure that it meets our implementation criteria. When conducting these tests, we should consider the value of offering independent, public review and open testing to ensure that Ontarians can be satisfied that we have resolved any potential concerns regarding security, privacy, authentication, and verification.

The report then turns to the 2003 and 2007 Internet voting trials in the UK. For the large trial in 2003 it finds:

Overall, although electors enjoyed the convenience of network voting, it had a very minimal affect on turnout. While some jurisdictions experienced voter turnout increases up to 5 per cent, other jurisdictions registered a decline in voter turnout of up to 8 per cent.xxviii

For 2007, the results were even worse:

In a review of the pilots, the United Kingdom Electoral Commission found there was insufficient time available to implement and plan the pilots, and the quality assurance and testing was undertaken too late and lacked sufficient depth. The United Kingdom Electoral Commission stated that “the level of implementation and security risk involved [with the pilots] was significant and unacceptable”.xxx

The end notes are
xxviiiUnited Kingdom Electoral Commission. 2005. Securing the Vote.
xxxUnited Kingdom Electoral Commission. 2007. “Key issues and conclusions: May 2007 electoral pilot schemes.”

See the references mentioned in the end notes in the copy of Appendix 3: Selected Works Consulted.

All that remains of the Securing the Vote report on the UK Electoral Commission site is the page Securing the vote – detailed proposals for electoral change announced.  The actual document itself does not show up in search.  The only location where a copy could be found was in a document repository from The Guardian newspaper: http://image.guardian.co.uk/sys-files/Politics/documents/2005/05/20/eleccommission.pdf

The UK did extensive reporting on the 2007 pilots, the website was http://www.electoralcommission.org.uk/elections/pilots/May2007 but it is no longer online.  There is a copy in the Internet Archive.

Although there is no longer an organising page on the Electoral Commission page, some of the reports from 2007 are still available from them, as well as being copied in the Internet Archive.

There are two considerations to highlight from the UK Electronic Voting Summary:

  • New voting methods should be rolled out only once their security and reliability have been fully tested and proven and they can command wide public confidence.
  • The necessary costs for secure and reliable systems must be able to be reasonably met by the public purse.

I will highlight only one item from the Technical Assessments of the e-voting Pilots, item 3.4.4 from Assessment of the pilot process – Quality management:

While there were variations between the different pilots, in all cases the quality and testing arrangements appeared to be inadequate. It is difficult to tell whether this was purely because of lack of time, or whether some of the suppliers were not used to implementing effective quality processes. Significant quality management failings include:
a. Lack of detailed design documentation;
b. Lack of evidence of design or code reviews or other mechanisms for ensuring that the solutions operate correctly and do not include deliberate or accidental security flaws;
c. Lack of evidence of effective configuration management.

This kind of haphazard voting software development has been shockingly common, e.g. for US voting machines as well.

Returning to the Province of Ontario report, moving on to conclusions, the key point that Internet voting does not increase turnout is again emphasized

As we discussed earlier in this report, often people assume that introducing a new channel of voting such as network voting will translate to an increase in voter turnout. Our research supports the findings of the City of Edmonton’s Issues Guide on Internet Voting which states that, at present, there is

“no conclusive evidence that shows introducing Internet voting will have a positive impact on turnout. Internet voting will not fix the problem of voter turnout decline completely –it is not a solution to the social and political causes of non-voting. ….”xxxiii

The end note is

xxxiiiGoodman Issues Guide: Internet Voting. p. 20.

This is a reference to Edmonton’s Issues Guide: Internet Voting by Nicole Goodman, November 2012.  Currently available from the City of Edmonton, and also in the Internet Archive.

To quote the Issues Guide:

The rationale(s) for not adopting Internet voting or for being more cautious in its consideration include topics such as security, notably threats of hacking and election fraud and problems associated with voter authentication. Privacy/ ballot secrecy is also cited as a worry. Additionally, there is uncertainty surrounding an effective evaluation process such as the ability to audit the election that may include a re-count or some type of ballot verification.

See the references mentioned in the end notes below in the copy of Appendix 3: Selected Works Consulted.

Moving to Appendix 5: Network Voting Business Case

Alternative Voting Technologies Report – Appendix 5 Network Voting Business Case (2012).pdfcopy in Internet Archive

I will quote only the section on chain of trust, just to illustrate the complexity of properly building an Internet voting system, followed with some commentary:

If the implementation of the network voting system does not both support the Chain of Trust and provide auditable evidence, then the process is open to question. This Chain of Trust is a compilation of all the following measures:

  1. Source code audit to verify that the code will do only what it is intended to do.
  2. Digital signature of the audited source code to protect its authenticity and integrity.
  3. Trusted build of the executable code in front of auditors (based on audited source code).
  4. Signature of the executable code to protect its authenticity and integrity.
  5. Deployment of the executable software in a clean system. Logical sealing of the system to detect any later additions.
  6. Logic and accuracy testing of the voting system to validate it works properly.
  7. Continuous audit of the voting system during the election, through review and validation of logs and other data. The logs must be protected from external manipulations by using cryptographic measures.
  8. Post-election audit that validates that the system behaved correctly by reviewing the logical seals and the protected logs.
  9. Individual voter verification that proves their ballots were used in the final tally (by using special receipts).

A strong emphasis must be placed on audit. Independent auditors must be able to review the source code, verify the build and deployment, audit system logs during the election event, and finally to review both the counting process and the results.

So this sounds reasonable, if challenging, time-consuming, and expensive, plus requiring a great deal of specialised expertise (which means excluding most oversight by ordinary citizens). But when examined from a computer science perspective, it might as well be called “the insurmountable mountain chain of trust“, because each step indicated above is a difficult problem in and of itself, and some of them are active areas of research because they are currently unsolved.  Doing a meaningful source code audit for any non-trivial source code is incredibly challenging.  Making a “trusted build” is almost impossible, because literally every software component in the build needs to be somehow trusted.  Needing trusted software components means a logical loop that can’t be satisfied: in order to build trusted software, you need a trusted compiler, but in order to build a trusted compiler, you need a trusted compiler.  Similarly, the concept of “logical seals” sounds great, but no such thing exists.  You might as well say “magic lock”.  This is just one of the reasons why computer scientists will tell you that secure Internet voting with trusted software is a problem that isn’t currently solved.

Finally, here are the works cited by the main report. Where necessary, I have added Internet Archive links for unavailable works.

APPENDIX 3 – SELECTED WORKS CONSULTED

2001 University of Waterloo Faculty of Mathematics Work Report on Internet Voting Technologies

University of Waterloo Faculty of Mathematics Work Report on Internet Voting Technologies

Original report was at www·student·cs·uwaterloo·ca/~dasibley/
Now only available in the Internet Archive.
prepared by Douglas A. Sibley
March 2001

Conclusions

Without clean-room conditions, it is impossible to know whether a computer’s hardware and software are correctly transferring the intent of the voter into the correct form and registering it with the voting authority. Without a system that has been thoroughly reviewed by the cryptographic community, it is impossible to know whether the system is secure. In conclusion, since Internet voting has many theoretical flaws and the parts that are not theoretically flawed are not adequately proven, Internet voting should be abandoned and proscribed for all elections mandated by law, including, the public sector, elections mandated by corporate law, and union elections. The risks of fraud are too great.

Recommendations

This report recommends that the traditional paper-based system be used to ensure fairness and security. This report also recommends that Internet-based voting be outlawed for any elections held or mandated by government.

Updated from the original post on my legacy blog.

Waterloo Internet voting

The City of Waterloo has again rejected the use of Internet voting in its municipal election.

I really liked the framing by Regional Councillor Jane Mitchell: “showing that you are really tech savvy”.  Which is to say, rejecting Internet voting doesn’t show that you are backward-looking, it shows that you actually understand the technology.

Waterloo Region RecordWaterloo rejects online voting, ranked ballot – by Paige Desmond – November 21, 2016

Waterloo ChronicleWaterloo council rejects Internet voting for 2018 – by Samantha Beattie – November 22, 2016

CTV News Kitchener – Waterloo council says no to online voting, ranked ballots – November 22, 2016

The meeting was the November 21, 2016 Council Meeting.  The meeting will be posted to YouTube account citywaterloo.

The relevant report is CORP2016-105 Alternative Voting Methods (Internet Voting) by Olga Smith.  The report can be found on pages pp. 84-93 of the original packet (PDF) for the November 21, 2016 Council Meeting.  (The original packet is also available in the Internet Archive.)  It is an update on previous report CORP2013-053.

The CORP2016-105 report offers an overview of the current unfortunate state of affairs as Internet voting spreads across (small, low-IT-capacity) Ontario municipalities:

Since 2003, there has been an increase in Ontario municipalities introducing alternative voting methods (internet, telephone and mail-in voting). In 2014, 97 out of 414 Ontario municipalities offered paper, vote-by-mail, internet and telephone ballot options, others a combination of paper and internet or, in the case of 61 municipalities, offered all electronic (internet and telephone voting). The municipalities’ population ranges in size from 900 to approximately 300,000.

It then identifies some key concerns

Opponents of internet voting advise of concerns including:

  • security concerns and process vulnerabilities
  • voter authentication
  • loss of transparency with reduced oversight of the voting process by candidates and scrutineers

Next it turns to debunking some Internet voting myths, starting with turnout

The results of an extensive study conducted by Elections British Columbia, and presented to the Legislative Assembly of British Columbia in February 2014, dispel the myth that internet voting increases voter participation in general and participation by young people in particular

The report being referenced is from the British Columbia Independent Panel on Internet Voting, specifically the February 2014 Recommendations Report to the Legislative Assembly of British Columbia (PDF).

For security concerns it paraphrases me (I was not aware of this until now)

Research and information from experts in the computer science field warn of the risks of the use of online voting including:

  • Widespread use of online voting could enable coercion of voters and possibly vote buying.
  • Software and hardware components that would be involved in marking, transmitting, receiving and counting an online ballot represent an unreasonably high risk to the chain-of-custody for the ballot.
  • Canadian government departments have already been successfully cyber attacked.
  • Computer and national security experts warn that online voting is not secure.

The original text from my submission to ERRE reads

Considerations:

  • Widespread use of online voting would enable widespread coercion of voters, including vote buying.
  • The innumerable software and hardware components that would be involved in marking, transmitting, receiving and counting an online ballot represent an unreasonably high risk to the chain-of-custody for the ballot.
  • Canadian government departments have already been successfully cyberattacked by nation-states.
  • Computer security experts warn that online voting is not secure.
  • National security experts warn that online voting is not secure.
  • Social science evidence indicates that online voting won’t increase turnout.

It doesn’t reference my brief (lack of citations is not unusual for city staff reports).

CORP2016-105 also raises examines concerns about Internet voting in the following areas (using the document numbering):

  1. Auditability
  2. Scrutiny
  3. Accessibility (it finds that online voting provides accessibility)
  4. Lack of Federal/Provincial Standards
  5. Additional Costs for Internet Voting

The report next presents data from Guelph and Cambridge, with the following observations:

  • The statistics from municipalities offering a choice of paper ballots or internet voting show that most voters choose to mark a paper ballot.
  • Cambridge did see a minor increase of 1.18% in voter turnout as compared to 2010.
  • Guelph did see an increase of 9% in voter turnout as compared to the 2010 election but the increase could be attributed to the mayoral race and not necessarily that internet voting was offered.

corp2016-105-pp92-93-cambridge-guelph

This is followed by a chart for Guelph’s 2014 election showing a typical voter distribution pattern, i.e. there is no dramatic increase in youth turnout for an election with Internet voting.

city-of-guelph-voter-turnout-by-age-2014
The supplementary information packet (revised packet) for the November 21, 2016 Council Meeting also includes (on page 9) an email from Urs Hengartner, Associate Professor, Cheriton School of Computer Science, University of Waterloo, which I have reproduced below with email address removed:

-----Original Message-----
From: Urs Hengartner
Sent: Sunday, November 20, 2016 1:02 PM
To: Clerk Info
Cc: Jeff Henry
Subject: Comment on item 7.c)
         "Alternative Voting Methods (Internet Voting)"

Hello,

Here is a comment on item 7.c) “Alternative Voting Methods (Internet Voting)” to be discussed during the Waterloo City Council Meeting on Nov 21, 2016.

Given the arguably unexpected outcome of the U.S. presidential election, many people have called for an audit of the election result. As it turns out, about 25% of the entered ballots exist only in electronic form, so auditing them is pointless. Fortunately, the remaining 75% of the ballots (also) exist in paper form and could be audited.

In an Internet voting system, there are no paper ballots that are filled in by a voter him/herself or by a machine in the voter’s presence, so there is no paper record that reliably documents the voter’s intent.
Given that it is each voter’s choice with which voting system to vote, the percentage of votes entered via an Internet voting system could reach a significant proportion of the overall votes. Therefore, auditing an unexpected or narrow election outcome would become impossible. In turn, rumours alleging mistakes in the voting system or attacks on it could not be addressed, leading to voters losing their trust in the integrity of the voting process.

Best,
 Urs

--
Urs Hengartner
Associate Professor
Cheriton School of Computer Science University of Waterloo, Canada

Quebec moratorium on electronic voting – archived press releases

Quebec has a moratorium on electronic voting.  The main information pages are:

There is an accompanying extensive report in French only – Élections municipales de novembre 2005 : Rapport d’évaluation des nouveaux mécanismes de votation – octobre 2006 (PDF)

There used to be four press releases (two in each official language) that accompanied the information pages.  Unfortunately those press releases have been archived.  Using my Pinboard cache plus Google and Bing caches I located copies of three of the pages; I have requested the text of the other one (Communiqué 2) although you can figure out its content based on Press Release 2.

Press Release 1

Evaluation Report of New Methods of Voting – The Chief Electoral Officer Makes a Disturbing Diagnosis of the Problems that Occurred during the Municipal Elections of November 6, 2005

October 24, 2006

Québec City, October 24, 2006 – Today, the Chief Electoral Officer of Québec, Me Marcel Blanchet, tabled in the National Assembly an evaluation report that makes a troubling diagnosis of the problems that occurred during the municipal elections of November 6, 2005, in some of the 162 Québec municipalities that used new methods of voting. One hundred and forty (140) municipalities used electronic voting while 22 “tested” the postal ballot. “The major problems that were encountered during polling and the release of results have eroded the confidence of many persons regarding the new methods of voting” recalled Me Blanchet. “It was in order to shed light on these events and determine what happened that I created an internal evaluation committee which conducted a review that is unprecedented in Québec.”

An In-depth Review that Used the Expertise of All those Concerned

The evaluation committee that reviewed the November 2005 polls examined:

– the written reports of 144 returning officers, three suppliers of electronic voting services and the supplier of postal ballot services;

– the complaints received by the Chief Electoral Officer following the elections, the motions presented before the courts, as well as judgements rendered by the courts.

The committee also met most of the returning officers as well as several stakeholders in person: services providers, experts, observers and complainants. It also reviewed the rejected ballot papers in seven municipalities, as well as technical audits of electronic ballot boxes and voting terminals used during the municipal elections. For this last stage, the evaluation committee called on the expertise of the Centre de recherche informatique de Montréal (CRIM).

The Problems Encountered in November 2005 are the Result of Many Circumstances

“We all remember the events that marked the municipal elections of November 6, 2005,” recalled the Chief Electoral Officer. “Not only did the systems fail, but the corrective measure proposed were insufficient, poorly adapted and often came too late.  The primary objective of our evaluation was not to point fingers since all those involved with the municipal elections of 2005 must share come responsibility for these problems,” explained Me Blanchet. “We are keen to understand certain situations and examine certain problems that arose primarily in order to be able to trace the path toward electronic ballots that, if maintained, should be marked by transparency and integrity that are at the heart of our democratic values,” declared the Chief Electoral Officer.

The root causes of the problems encountered by the various actors of the 2005 municipal elections, include the following:

  • an imprecise legislative and administrative framework that did not adequately assign roles and responsibilities or address the risks inherent in electronic voting;
  • absence of technical specifications, norms and standards that would have guaranteed the quality and the security of the voting systems used;
  • poor management of voting systems (especially lack of security measures) leaving a lot of room for errors, accidents and the absence or insufficiency of solutions in case of problems.

More specifically, it is possible to pinpoint a number of circumstances that increased the risks:

  • Voting machines, machines used for quality control of components and machines aimed at ensuring the security of the methods of voting and the integrity of the vote were not adequately tested.
  • In most cases, there was no backup plan covering all potential problems.
  • Procedures on how to use voting systems were not documented.
  • Due to the importance of the technical aspects of the vote, some returning officers had difficulty harmonizing their responsibilities with those of service providers, leading, for instance, to loopholes in the training of election staff
  • One of the suppliers overestimated its ability to simultaneously serve a large number of municipalities, particularly the largest municipalities.
  • This supplier probably delegated too much responsibility to sub-contractors (especially regarding training).
  • Imprecise contracts and incomplete specifications blurred the relationships between municipalities and their service providers.
  • There were no independent experts on electronic voting to whom returning officers could turn.

“Ten years of using electronic voting with no major problem, ten years of increasing satisfaction by municipalities who kept asking for it, had given some credibility to this new approach to holding elections,” surmised Me Blanchet. “What we experienced on November 6, 2005, and what our examination of the situation revealed, should convince us that this approach is more risky than earlier thought,” concluded the Chief Electoral Officer.

It is worth recalling that in Québec, a municipal election involves all democracy partners. Thus, under the Act Respecting Elections and Referendums in Municipalities, a Québec municipality that would like to hold an election using electronic voting or the postal ballot has to sign a memorandum of understanding with the minister of Municipal Affaires and Regions and the Chief Electoral Officer. The Act Respecting Elections and Referendums in Municipalities also states that it is a municipal actor, that is, the returning officer, who is in charge of the election and has responsibility for election operations, including honouring and administering the contract signed between his municipality and a supplier, for instance, of electronic voting systems. The Chief Electoral Officer, for his part, provides assistance to returning officers who so request and may, in keeping with his responsibilities and expertise in election matters, examine special situations and make recommendations.

Press Release 2

Evaluation Report of the New Methods of Voting – The Chief Electoral Officer Sets Very Stringent Conditions for the Future Use of Electronic Voting if it is Maintained

October 24, 2006

Québec City, October 24, 2006 – The review by the Chief Electoral Officer of the new methods of voting used during the municipal elections of November 6, 2005 leads him not only to question their value added, but to recommend very stringent conditions for the future use of electronic voting, if this method of voting is to be used again. In a report tabled today at the National Assembly, the Chief Electoral Officer, Me Marcel Blanchet, is very critical of the electronic voting systems that were used during last year’s municipal elections and on the manner in which they were used. In addition to noting that these systems did not seem to have lived up to expectations, he believes that electronic ballot boxes and voting terminals are vulnerable technologies. Furthermore, the manner in which they have been managed so far does not offer sufficient guarantees of transparency and security to ensure the integrity of the vote. As a result, the Chief Electoral Officer believes that it is up to the National Assembly to decide whether or not to maintain the use of these new methods of voting and that, for the time being, the moratorium on their use must be maintained.

“In its current form, the Act respecting elections and referendums in municipalities enables municipalities to decide whether to use a new method of voting during a general or by-election,” recalled Me Blanchet. “But after the evaluation that we have just conducted of electronic voting and the postal ballot, I am of the opinion that to reestablish the confidence that was eroded last November 6, major changes must be introduced to their legal and administrative framework, if they are to be maintained,” the Chief Electoral Officer stated. “The voting systems should be subjected to very high quality and security norms and standards before municipalities can use them again,” he added.

Revealing Tests and Audits

The recommendations regarding the future of electronic voting are based mainly on technical audits and tests conducted in collaboration with the Centre de recherche informatique de Montréal (CRIM) on the voting systems used during the last municipal elections. This detailed review was aimed at detecting the risks associated with the use of electronic ballot boxes and voting terminals.

The technical audits and tests helped to determine that electronic voting systems are exposed to many risks since they have limited or no formal protection and security measures, thus making them vulnerable to technological attacks. In addition, the systems are thus exposed to major service or network defects and breakdowns.

The review of the manner in which electronic ballot boxes and the voting terminals are tested, installed and managed during an election also reveals a lack of knowledge of voting system components, as well as lack of expertise by those involved with elections, including the service providers.

Modify the Framework and Implementation Method

Based on his evaluation of the new methods of voting in general and electronic voting systems in particular, that were used during the November 2005 elections, the Chief Electoral Officer recommends a modification of the framework governing their use and how they are implemented in Québec:

  • The legislation governing the use of these methods of voting must be reviewed and better defined, including the memoranda of understanding signed by the municipalities with the Chief Electoral Officer and the Minister of Municipal Affaires and Regions.
  • Rigorous technical specifications as well as security and reliability norms and standards must be adopted before any future use of a new method of voting. A group of experts must be created in this respect.
  • An independent authority must be vested with a mandate to monitor and the powers to audit and control the norms and standards related to the new methods of voting.

The Chief Electoral Officer also recommends that care should be taken to ensure that suppliers have the ability to offer their services to several municipalities simultaneously and suppliers should be required to sign more stringent contracts containing precise specifications regarding the professional services required and the voting systems used.

“The role and responsibilities of the Chief Electoral Officer, the Ministry of Municipal Affairs and Regions, returning officers and service providers must also be clarified, according to Me Marcel Blanchet, and it is definitely important for all these actors to receive in-depth training on the new methods of voting.”

As far as security is concerned, measures should be adopted in order to guarantee the integrity of the electoral process. For instance:

  • competent authorities should have access to the programming codes and source codes of the software used in the voting systems;
  • the implementation of mandatory and complete tests on all equipment to be used in an election;
  • the establishment of backup plans covering all potential problems;
  • the swearing in of all those responsible for programming and installing systems and software and providing technical support and troubleshooting;
  • the implementation of strict measures for the storage and safekeeping of systems used;
  • the adoption of measures aimed at ensuring that, after the election, the supplier destroys data recorded on the electronic voting systems.

To prevent the rejection of ballots by electronic ballot boxes, the Chief Electoral Officer also recommends the adoption of ballot papers similar to those used during traditional voting. In the case of voting terminals, these devices should be adapted to be able to do a recount.

As far as the postal ballot is concerned, the Chief Electoral Officer recommends especially that returning officers should adopt a model that is inspired from that used at the provincial level for voting by inmates and electors outside Québec. Thus, the systematic sending of voting kits to all electors domiciled in a municipality should be forbidden.

Communiqué 1

Rapport d’évaluation des nouveaux mécanismes de votation – Le DGE pose un diagnostic inquiétant sur les problèmes survenus lors des scrutins municipaux du 6 novembre 2005

24 octobre 2006

Québec, le 24 octobre 2006 – Le directeur général des élections du Québec, Me Marcel Blanchet, a déposé aujourd’hui à l’Assemblée nationale un rapport d’évaluation qui pose un diagnostic inquiétant sur les problèmes survenus lors des scrutins municipaux du 6 novembre 2005, dans un certain nombre des 162 municipalités du Québec ayant utilisé de nouveaux mécanismes de votation. 140 municipalités ont alors eu recours au vote électronique, alors que 22 municipalités ont « fait l’essai » du vote par courrier.  « Les problèmes importants qui ont marqué le déroulement des scrutins et la diffusion des résultats ont ébranlé la confiance de nombreuses personnes à l’égard des nouveaux mécanismes de votation » a rappelé Me Blanchet. « C’est pour faire la lumière sur ces événements et établir les faits que j’ai formé un comité d’évaluation interne, lequel a réalisé un examen sans précédent au Québec. »

Une évaluation approfondie qui a mis l’ensemble des acteurs à contribution

Le comité d’évaluation qui s’est penché sur les scrutins de novembre 2005 a examiné :

– les rapports écrits de 144 présidentes et présidents d’élection et ceux des trois fournisseurs de services de vote électronique et du fournisseur de services de vote par courrier;

– les plaintes reçues par le Directeur général des élections (DGE) à la suite des scrutins, de même que les requêtes présentées devant les tribunaux, ainsi que les jugements rendus par ces derniers.

Le comité a également rencontré en personne la grande majorité des présidentes et présidents d’élection, ainsi que plusieurs intervenants : fournisseurs de services, experts, observateurs et plaignants.  Il a en outre réalisé une étude des bulletins de vote rejetés dans sept municipalités, ainsi que des audits techniques des urnes électroniques et des terminaux de votation utilisés lors des élections municipales.  Pour cette dernière étape, le comité d’évaluation a eu recours à l’expertise du Centre de recherche informatique de Montréal (CRIM).

Les problèmes survenus en novembre 2005 sont le fruit d’un ensemble de circonstances

«  Nous nous souvenons tous des événements qui ont marqué les scrutins municipaux du 6 novembre dernier », a rappelé le directeur général des élections.   « Non seulement des systèmes ont fait défaut, mais les correctifs proposés étaient insuffisants, mal adaptés et souvent tardifs.  Le premier  objectif de notre évaluation n’a  pas été d’identifier un responsable plutôt qu’un autre de ces difficultés, puisque tous les acteurs des scrutins municipaux de 2005 doivent partager une certaine responsabilité », a précisé Me Blanchet.  « Si nous avons voulu comprendre certaines situations et nous pencher sur certains problèmes, c’était avant tout pour être en mesure de tracer la voie vers des scrutins électroniques qui, s’ils sont maintenus, devraient être marqués par la transparence et l’intégrité qui sont au centre de nos valeurs démocratiques », a affirmé le DGE.

À la base des dérapages constatés par les différents acteurs des scrutins municipaux de 2005, il faut souligner :

  • un encadrement législatif et administratif qui manquait de précision, notamment en ce qui a trait aux rôles et aux responsabilités de chacun et aux risques inhérents au vote électronique;
  • une absence de spécifications techniques, de normes et de standards qui auraient garanti la qualité et la sécurité des systèmes de votation utilisés;
  • des façons de gérer les systèmes de votation (notamment l’insuffisance des mesures de sécurité) qui favorisaient les erreurs, les accidents de parcours et l’absence ou l’insuffisance des solutions en cas de problèmes.

De façon plus spécifique, il est possible de pointer du doigt un certain nombre de circonstances qui ont augmenté les risques :

  • Il y a eu insuffisance de tests réalisés sur les appareils de votation, de contrôles de qualité des composantes des systèmes et de mesures de sécurité visant à protéger les mécanismes de votation et par conséquent, l’intégrité du vote.
  • Dans la plupart des cas, il y a eu absence d’un plan de relève couvrant l’ensemble des problèmes potentiels;
  • Les processus quant à l’utilisation des systèmes de votation n’étaient pas documentés;
  • En raison de l’importance des aspects techniques du vote, certains présidents d’élection ont eu du mal à arrimer leurs responsabilités à celles des fournisseurs de services, ce qui a causé, par exemple, des lacunes en ce qui a trait à la formation du personnel électoral.
  • L’un des fournisseurs a surestimé sa capacité à desservir simultanément un grand nombre de municipalités, et particulièrement les plus importantes.
  • Ce fournisseur a probablement délégué trop de responsabilités à des sous-contractants (particulièrement en ce qui a trait à la formation).
  • Des contrats parfois imprécis et des devis incomplets ont balisé les relations entre les municipalités et leurs fournisseurs de services.
  • On a noté l’absence d’une expertise indépendante spécialisée en matière de vote électronique, à laquelle les présidents d’élection auraient pu avoir recours.

« Dix  ans d’utilisation du vote électronique sans problème majeur, dix ans de satisfaction croissante de municipalités qui en redemandaient, avaient donné une certaine crédibilité à cette nouvelle façon de tenir des élections », a estimé Me Blanchet.  « Ce que nous avons vécu le 6 novembre 2005 et ce que notre examen de la situation nous révèle, devrait nous convaincre que cette voie était beaucoup plus hasardeuse que l’on pouvait le croire », a conclu le directeur général des élections.

Rappelons qu’une élection municipale, au Québec, c’est l’affaire d’un ensemble de partenaires de la démocratie.  Ainsi, en vertu de la Loisur les élections et les référendums dans les municipalités (LERM), une municipalité québécoise qui désire tenir un scrutin avec le vote électronique ou le vote par courrier doit signer un protocole d’entente avec la ministre des Affaires municipales et des Régions et le Directeur général des élections.  La LERM prévoit en outre que c’est un acteur municipal, le président d’élection, qui est le maître d’œuvre du scrutin et a la responsabilité des opérations électorales, ce qui inclut le respect et l’administration du contrat conclu entre sa municipalité et un fournisseur, par exemple, de systèmes de vote électronique.  Le DGE, pour sa part, fournit de l’assistance aux présidents d’élection qui en font la demande et peut, en vertu de ses responsabilités et de son expertise en matière électorale, examiner des situations particulières et faire des recommandations.